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Information  Assurance 


•  Definition 

-  Information  operations  that  defend  the  global  information  enterprise 
through  empioyment  of  Protect,  Detect,  Assess  and  Respond 
capabiiities.  This  is  accompiished  by  ensuring  avaiiabiiity,  integrity, 
authentication,  confidentiaiity,  and  non-repudiation  (based  on  DODD 
S-3600.1  &  AFDD  2-5). 

•  Approach 

-  Deveiop  technoiogy  for  and  transition  technoiogy  to  AF,  DoD  and 
Nationai  customers 

-  Continuous  capabiiity  improvement  through  experimentation  with 
warfighter,  spirai  deveiopment,  ieverage  of  COTS,  and  technoiogy 
transition,  e.g.,  CAOC-X,  JBI,  etc... 

•  Value  to  the  Warfighter 

-  Accurate,  trusted,  reliable  warfighter  information 

-  Survivabie  information  systems  and  networks 

-  Information  superiority  through  assured  information  operations 


Information  Assurance 

“A  Short  History” 


•  Pre1970’s 

-  Encryption 

•  1970’s 

-  Computer  Security  R&D  begins  (“Test  and  Patch”) 

•  1980’s 

-  Muitilevei  Security 

-  Strong  Security  Based  on  Speciai-Purpose  Systems 

-  Risk  Avoidance 

-  “Orange  Book”  Evaiuation  Criteria 

•  1990’s 

-  Movement  Towards  COTS  Software 

-  Perfect  Security  Recognized  as  Unachievable 

-  Risk  Management 

•  2000  &  Beyond 

-  Trend  toward  Information  Survivabiiity 

-  Situationai  Awareness 

-  Intrusion  Tolerance 

-  Active  Response 


Information  Assurance 
Today’s  Capability 


Protect 

-  Encryption  (VPN,  Digital  Signature,  PKI, 
etc.) 

-  Firewalls/Guards/Boundary  Controllers 

-  Passwords,  Biometrics 

-  Trusted  Operating  Systems/Database 
Management  Systems 

-  Physical  Security  (Stovepipes,  Vaults,  etc.) 

-  Vulnerability  Scanners 

-  “Penetrate  and  Patch” 

Detect 

-  Virus  Scanners  (Signature-Based) 

-  Intrusion-Detection  (Signature-Based) 

-  Auditing 

Assess 

-  Computer  Forensics  Tools  (Media  imaging, 
Data  Recovery,  etc.) 

-  CERT’S 

Respond 

-  Physical  Media  Relocation 

-  Backups 
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Vision 


•  Protect  the  GIE  with  a  high  degree  of  confidence 

-  Assured  defense-in-depth  against  a  wide  variety  of  threats 

-  Understand/manage  risks  and  plan  for  protection 

•  Detect  information  attacks 

-  Early  warning  using  light  weight  cooperating  sensors 

-  Efficient,  accurate  data  reduction,  fusion,  correlation 

•  Assess  information  attacks 

-  Identify  adversary,  nature,  timing,  severity 

-  Determine  mission  impact 

-  Develop  courses-of-action 

•  Respond  to  a  successfui  IW  attack  in  an  appropriate  manner 

-  Graceful  degradation,  recovery,  reconstitution 

-  Feedback  to  Improve  protection  and  detection  processes 

-  Offensive  Information  Operations 
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Information  Assurance 

Vision 


Tolerant 


Respond 

Detect 


Knowledge  Base 


A 


z 


Protect 


Active  Response 
(Traceback,  Fingerprint,  ID) 


Attacks, 
Malicious 
Code,  .M 
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National  Scale  INFOSEC  Hard  Problems 

[By  the  INFOSEC  Research  Council] 


•  Intrusion/Misuse  Detection  &  Response 

•  Foreign  &  Mobiie  Code 

•  Controiied  Sharing  of  Sensitive  information 

•  Appiication  Security 

•  Deniai-of-Service 

•  Communications  Security 

•  Security  Management  infrastructure 

•  Security  in  Mobiie  Environments 

•  Security  Engineering  Methodoiogies 

•  infiuencing  Vendors 
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Technical  Approach 


High  Assurance 
RF  Protect 
Secure  Mobile  Code 
Boundary  Controllers 
Embedded  Systems  1^ 
Wrappers 


Intrusion  Tolerance 
Active  Response 
Fault  Tolerant  Networks 
Effects-Based  10 
Assured  QoS 


Situation  Awareness 
Forensics 
ecision  Support  & 
10  Planning 


Early  Warning 
Data  Hiding 
Sovereign  Time 


Data  Mining 
Intelligent  Agents 
Auto  Intrusion  Detection  Env 
AF  Enterprise  Defense 
Wireless  Intrusion  Detection 
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Success  Stories 


DAIWatch 

CYBERWOLF 

Wireless  Information  Assurance 
Steganography 

Air  Force  Enterprise  Defense  (AFED) 


Distributed  Agents  for  Information 
Warfare  Operational  Transition  (DAIWatch) 


Objective:  Enliance  level  of  Information 
Assurance  by  utilizing  breakthroughs  in 
software  agent  and  fusion  technologies  that 
provide  revolutionary  flexibility,  extensibility, 
and  reliability 

Approach: 

•  AgentTechnology  via  Java  Aglets 

•  Dynamic  distribution  of  multiple  host  sensors 

•  Integrated  multi-dimension  graphical  analysis 


DAIWatch  Revolution 

•  Finds  the  most  sophisticated  attackers 

•  Reduces  security  administration 

•  Adjusts  to  risk  and  minimizes  overhead 

•  Not  vulnerable  to  compromise 


Technology  Transition 

•  Phase  III  SBIR 

•  AFIWC  -  agreements  to  integrate  DAIWatch  with  CIDDS 

•  JBC  -  DAIWatch  selected  for  operational  demonstration  (focused  on  ability 
to  transport  functions  and  data  across  SIPRnet) 

•  Beta  Test  Program  with  a  commercial  investment  company 


Status 

•  Cyberwolf  correlating  events 
from  AFRL  RRS  NOC 

•  Cyberwolf  commercialization 
effort  fully  underway  with 
several  potential  customers 

•  Correlation  capability  from 
Cyberwolf  is  being  channeled 
into  AFED  program 

•  Rule  set  currently  exceeding 
2000  entries 

•  Cyberwolf  under  evaluation 
for  use  by  several  large  corp. 
and  a  Canadian  bank  for 
network  enterprise  protection 


Problem:  Network  Defenders  cannot 
process  thousands  of  low  level 
events  in  real  time. 

Objective:  Enhance  network  defense 
by  automatically  correlating  network 
management  events  with  Intrusion 
Detection  System  (IDS)  events  to 
provide  accurate  situational 
information 

Approach: 

•  Place  lightweight  device  experts  on 
all  network  assets 

•  Device  experts  adaptable  to  specific 
installations  operational  security 
policy 

•  Remotely  manage  geographically 
separate  installations  in  a  24/7  mode 


CyberWolf  Architecture 


Im  liCZTio:'- 


Technical  Challenges 

•  Distribute  event 
processing  between 
enterprise  and  device 

•  Design  and  implement 
device  experts  for  all 
types  of  network  assets 

•  Encapsulate  Net 
defenders  knowledge 
into  Rule  structure 

•  Reduce  1000’s  of  net 
events  to  a  few  highly 
reliable  incidents 


Tech  Transitions 


Federal  Emergency 
Management  Agency 
Naval  Sea  Systems  Command 
Air  Force  Research  Lab 
Joint  Battle  Center 
Land  Information  Warfare 
Activity  I  ^ 


jbc 
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4  4 

^0  AFRL  Wireless  lA  Program 

_ 


Objective:  Enhance  and  extend  lA  for 
wireless  through  synergistic  in- 
house  and  contractual  activities 


Current  Projects: 

•  Wireless  Intrusion  Detection  &  Distributed 
Boundary  Control 

•  Combined  Access  Point/Firewall/VPN/Intrusion 
Sensor  Device 

•  Wireless  &  Mobile  Authentication/Key  Revocation 

•  Adaptive  RF  Wireless  Nodes 

•  Software  Defined  Radio  for  Wireless  Information 
Assurance 

•  Intrusion  Detection  Agents  for  Handheld  Devices 

•  Automated  Wireless  LAN  Compliance  Monitoring 
Techniques 

•  AF  Wireless  Security  Architecture  Development 

•  DOD  Overarching  Wireless  Policy  Development 


Accomplishments: 

•  Developed  site  survey  and  compliance  monitoring  techniques 

•  Created  wireless  architecture  adopted  by  AF 

•  Developed  and  demonstrated  wireless  intrusion  detection  and 
policy  violation  detection  techniques 

•  Provided  key  inputs  to  DOD  overarching  policy 

•  Assessed  netstumbler.com  threat  in  the  context  of  AF  base 
locations 


Wireless  lA  Problem  Space: 


Protect  Detect  Respond 


Smart  Digital  Data 


Warning!  Image 

contains  hidden 
data 


Technology  Area  Payoff 

Information  Assurance 

•data  &  source  authentication 
•tamper  detection  &  data  recovery 

•automatic  data  dissemination  through 
guards;  classification  &  license  marking 

•detection  &  identification  of  adversary 
steganographic  activity  &  extraction  of 
hidden  data 

•tracing  sources  of  data  leaks 

•minimize  data  loss  (corrupt  data  pointers; 
invalid  data  headers) 

Information  Enhancement 


Data  Hiding/Embedding 


Steganography 


•embedded  auxiliary  information  (images, 
documents,  overlays,  audio,  links,  etcO 

•multi-level  data  release  to  coalition  forces; 
key-based  access 


Watermarking 

Steganalysis 


•covert  communication 

•maximize  throughput  of  communication 
channels 


Air  Force  Enterprise  Defense 

(AFED) 


Objectives 

•Provide  a  Defense-in-Depth  capability  that 
integrates  existing  event  information: 

-  Policy  Enforcement;  Change/Configuration 
Management:  Threat  &  Vulnerability  Assessment 
with  Countermeasure  recommendations;  Intrusion 
Detection;  Network  Management 

•Fuse  Information  Assurance  (lA)  and  Network 
Management  data  into  a  Common  Enterprise 
Picture 

•Provide  a  consistent  visual  environment  for 
information  portrayal 


Approach 


Payoffs 


•  Spiral  tech  exploration,  development,  validation, 
and  feedback  process 

-Automated  Reporting  for  Containment  and  10 
Targeting 

-  Mission  Situational  Assessment 

-  Automated  Courses  of  Action 

Transition  Agents:  ESC/DIGC,  ESC/DIW 

End  Users:  MAJCOM  NOSCs,  AFNOSC,  CAOC-x 


•  Integrates  existing  enterprise  sensors  and 
provides  enhanced  Information  Assurance  and 
Enterprise  Defense  capabilities  in  support  of 
the  AF  Protect-Detect-React/Restore  model. 

•  Assists  in  the  automated  detection  and 
reporting  of  information  attacks,  containment 
and  restoration  of  compromised  systems,  and 
planning/protection  of  enterprise  assets. 

•  Supports  entire  NOSC  mission  by 
cross-sharing  of  data  among  NOSC  crew  14 


Air  Force  Enterprise  Defense 

Moving  from  Data-Centric  to  Mission-Centric  Operations 


Vision 


□  i  y  S 


] 

iiaOQZ  r 


•  “NOSC-in-a-box” — one  appiication 
integrates  aii  NOSC  tools 


•One  application  addresses  needs  of 
entire  NOSC  crew 


(^\rfiL  PiuiulypB) 
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Summary 


•  The  AFRL/IF  program  includes  all 

aspects  of  the  lA  problem 

-  Protect 

-  Detect 

-  Assess 

-  Respond 

•  Addressing  the  hard  lA  problems 

-  Leading  edge  technology 

•  Addressing  technology  at  all  levels 

-  Basic  Research 

-  Exploratory  Development 

-  Advanced  Development 
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